CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration

Zimbra Collaboration, a widely used open-source email and collaboration platform, has been found to contain two newly discovered security vulnerabilities that pose a serious risk to businesses relying on the software for email, calendaring, file sharing, and task management. These vulnerabilities, identified as CVE-2025-25064 and CVE-2025-25065, could allow attackers to gain unauthorized access to sensitive data and internal network resources.

CVE-2025-25064 (CVSS 9.8) is a critical SQL injection vulnerability that affects Zimbra Collaboration versions 10.0.x before 10.0.12 and 10.1.x before 10.1.4. This vulnerability is due to insufficient sanitization of a user-supplied parameter in the ZimbraSync Service SOAP endpoint. Authenticated attackers can exploit this vulnerability by manipulating the parameter to inject arbitrary SQL queries, potentially allowing them to retrieve email metadata.

CVE-2025-25065 (CVSS 5.3) is a moderate-severity Server-Side Request Forgery (SSRF) vulnerability that affects Zimbra Collaboration versions 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4. This vulnerability exists in the RSS feed parser and allows unauthorized redirection to internal network endpoints.

Zimbra Collaboration has been a frequent target for cybercriminals, with multiple critical vulnerabilities exploited in the wild.

For example, in October last year, hackers took advantage of CVE-2024-45519, a remote code execution (RCE) vulnerability in Zimbra’s postjournal service. This flaw allowed attackers to send specially crafted emails containing malicious commands in the CC field, which were then executed when the email was processed by the postjournal service.

Zimbra has released patches addressing both CVE-2025-25064 and CVE-2025-25065, and users are strongly urged to update their systems immediately.

5/5 - (2 votes)

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply